Posted On 02.10.2025

Wikijs | Postgresql | Transport Encryption

0 comments
confdroid.com >> blog >> Wikijs | Postgresql | Transport Encryption
02.10.202502.10.2025 0 Comments

Today I am on a quest to have all my applications running in Kubernetes containers connected to PostgreSQL to only use encrypted database connections. Earlier I did Sonarqube and posted about it. Now let’s talk about Wikijs, which I am using for my wiki.
Needless to say that the Postgresql database server is already set for encryption and pg_hba.conf has proper entries.
Wikijs is based on node.js and that has its own rules about using SSL for the database encryption. Like with my Sonar setup, I don’t want to run full chain verification, only the traffic encryption does suffice for me. However Node.js is a bit fuzzy about it and simply enabling SSL like SSL:true will not work because it throws a tantrum about a self-signed certificate. What we need to do is tell it two more things:

sslOptions: auto: false # rejectUnauthorized: false

This is documented here. How do we do it in a Kubernetes raw manifest: Using a config map and reference it in the deployment:

apiVersion: v1
kind: ConfigMap
metadata:
     name: wikijs-config
     namespace: wikijs
labels:
     app: wikijs
data:
      DB_HOST: "<db_host>
     DB_PORT: "5432"
     DB_NAME: "<db_name>"
     DB_USER: "<db_user"
     DB_SSL: '{"auto":false,"rejectUnauthorized":false}'

and the reference:

Advertisements
 containers:
        - name: wikijs
          image: requarks/wiki:latest
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
          env:
            - name: DB_TYPE
              value: "postgres"
            - name: DB_HOST
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_HOST
            - name: DB_PORT
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_PORT
            - name: DB_NAME
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_NAME
            - name: DB_USER
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_USER
            - name: DB_SSL
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_SSL

Replace the values in <> with your real values.
Anything else goes as usual. This way, our traffic is encrypted and we are all good to go.

Happy coding!

Update

Turned out at the end this was not sufficient. The real solution is described in this blog post and is indeed fully tested. Another technical description can be found in my wiki.

Author Profile

12ww1160DevOps engineer & architect

Advertisements
Tags: , ,
Categories:

One thought on “Wikijs | Postgresql | Transport Encryption”

  • sunrider

    Turns out there is more to the thing. The DB_SSL probably needs more settings. Running it like above does not throw an error, but when I remove the pg_hba entry for ‘host’ and only leave ‘hostssl’, the connection fails. Coming back to that again.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen + 19 =

Related Post

Post Image

Read More

Infrastructure as Code

Here we had a glance on configuration management, a huge topic on its own and…

Read More

Kubectl cheat sheet

I am dealing with Kubernetes on a daily basis. Although I am using the very…

Read More

Kubernetes – create a configuration backup with kubectl

This article intends to explain how to create a configuration backup of an helm installed…